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ABSTRACT 

The SP-100 is an electrical generating nuclear power system for space 
operation. This paper describes the nuclear reactor control systems and the 
methods used to assure reliable performance for the 10-year design life. Reliable 
performance is achieved by redundancy and by selecting highly reliable 
components and design features. Reliability is quantified by analysis using 
established reliability data. Areas lacking reliability data are identified for 
development testing. A specific development test description is provided as an 
example to demonstrate how this process is meeting the system reliability goals. 

INTRODUCTION 

The nuclear system control and shutdown functions are provided by the 
moving reflector segments surrounding the reactor core and by the in-core safety 
rods. The moving reflector drive system is capable of precise reactor control as 
well as reactor shutdown while the safety rod drive system provides fail-safe 
reactor shutdown capabilities. Figure 1 shows the overall reactor system 
arrangement and the relative locations of the two reactor control systems. Figures 
2 and 3 show components tested and typical results obtained. Table 1 gives the 
nominal design environments of the control systems. 

DESIGN DESCRIPTION 


Reflector Control System 

Reactor power control is achieved by moving neutron reflecting material 
axially relative to the reactor core. Electromechanical drive units located aft of the 
radiation shielding provide the power to move the reflector sections. A ball nut 
and screw assembly converts the rotary motion of the drive motor to linear motion 
needed to move the reflectors. A brake assembly locks the reflector in position 
when it is not being driven. Figure 1 includes a figure of the single reflector drive 
assembly. The drive system is capable of moving the reflector segments in small 
increments and has precise positioning capabilities. Figure 2 shows some of the 
test results for the reflector components tested. 
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Safety Rod 


Reactor shutdown capabilities are provided by the incore safety rods for 
launch and for severe accidents. Figure 1 includes a schematic of a safety rod 
and its drive system. Figure 3 shows some of the test results and key features for 
the safety rod components. Each rod contains sufficient neutron poison to 
prevent operation. When the poison is located within the core region, the safety 
rod is mechanically locked in position to prevent inadvertent withdrawal. 
Electromechanical drive assemblies located aft of the reactor shielding provide the 
unlock and the drive functions needed to move the poison out of the reactor core 
region. Electromagnetic clutches and brakes connected to the drive motor are 
used to select the desired drive and/or unlock function. A spring motor device 
stores energy to move the safety rod to the shutdown position on command or 
automatically at predetermined reactor conditions. 

Design Challenges 

The mechanical designs of the two systems share many common features 
all of which share the challenge of reliable operation in the harsh environment of 
high temperature, vacuum and radiation. Both include stepper motors, clutches, 
brakes, bearings, sliding surfaces, and springs, all of which must remain 
functional and maintenance free for 1 0 years. Material selections are limited for 
this extreme environment. Changes in material properties and strength 
characteristics, dimensional stability, self-welding, diffusion and evaporation must 
be considered for each material selected and for each material couple. 

Moving and sliding elements near the reactor core region are challenged by 
the extremely high temperatures. Refractory metals are needed for the structural 
materials with carbide coatings on the critical contacting surfaces. Radiation 
induced material swelling is a major concern for items located near the reactor 
core. 

RELIABILITY CONSIDERATIONS 
Overview 


Reliability of the reflector control and safety rod drive assemblies for the 
overall 1 0-year mission depends upon the presence of initial operational reliability, 
operational reliability throughout the mission, and an end-of-life significantly 
beyond the mission time. 


Initially, the reflectors and safety rods must be capable of moving to the 
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operational positions and remaining there with high reliability. This depends on 
the drive assemblies 1) being capable of performing their functions subsequent to 
fabrication and assembly-confirmed by acceptance testing, 2) surviving the 
launch-assured by design and structural analysis according to prescribed NASA 
methodology, validated by component and subassembly testing, and 3) reliably 
deploying and going into initial operation, given that they survived launch-assured 
by qualification testing, low component failure rates and the short time lapse 
before initial operation. 

For the duration of the mission between start-up and end-of-mission, 
redundancy and low component failure rates assure the reliability of the reflector 
and safety rod functions to hold, scram, and shutdown. For most functions, the 
loss of a reflector or a safety rod can be tolerated. 

Satisfactory margins between the mission time and the mean lifetime of the 
reflector control and safety rod drive assembly critical components assures that 
wear will not be a source of mission failure. Identification of failure modes and 
associated failure mechanisms in Failure Modes and Effects Analysis provides the 
basis for failure mechanism analysis, a process whereby identified failure 
mechanisms are examined for adequacy of data to support lifetime validation. If 
sufficient data are available, design margin studies are performed to provide an 
assessment of the margin of lifetime beyond the mission time. If sufficient data 
are lacking, specific needs are identified and factored into development programs 
planned or underway. 

Assurance of Initial Operation Reliability 

Prior to the SP-100 System Design Review held in 1988, structural analyses 
were done for the reflector control and safety rod drive assemblies. As part of 
these analyses, the structural response of the drive assemblies to the dynamic 
loading and vibration of launch were evaluated. Satisfactory margins were 
demonstrated for both types of drive assemblies. Since the System Design 
Review, the designs of both drives have changed; the changes to the safety rod 
drive assembly are small enough that the analysis results still hold true. The 
reflector control drive assembly changes are significant and, therefore, the 
structural analysis will be repeated. In the interim, preliminary analysis indicates 
satisfactory margin is available. 

Mission Reliability Enhancement Through Redundancy 

In the reflector control drive assemblies, redundancy has been built into the 
coils of the motor, brake, and position sensors, allowing reflector failures to be 
tolerated while meeting mission requirements. 
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In the safety rod drive assemblies, redundancy has been built into the 
safety rod drive motors, clutches, and brakes, supporting particularly the 
withdrawal function necessary for initial operation. To enhance the operational 
reliability throughout the mission, dual coils are built into the scram clutches so 
that inadvertent scram is less likely due to coil wire failure or a controller false 
signal. Multiple safety rod drive assemblies assure that the scram function will be 
reliable over the mission time, since, for most anticipated events requiring safety 
rod action, insertion of one safety rod is sufficient to safely shutdown the reactor. 

Lifetime Reliability Through Failure Mechanism Control and Design Margins 

Understanding of life limiting failure mechanisms through failure mechanism 
analysis (FMA) and the validation that lifetime margins exist through design 
margin studies (DMS), provide assurance that component end-of-life is sufficiently 
beyond the mission time. To date, 23 FMA’s and four DMS’s have been 
completed for the reflector control and safety rod drive assemblies. 

Of the completed DMS’s, one addressed the reflector and safety rod 
cladding failure due to embrittlement from oxygen released from the beryllium 
oxide (BeO) during irradiation. The conclusion of this study was that over the 
mission time the oxygen released in the lattice by the beryllium transmutation can 
be easily accommodated within the BeO lattice itself. As such, no oxygen release 
by diffusion from the BeO will occur. The potential failure mechanism identified 
and evaluated is not operative over the 10-year mission and cannot lead to safety 
rod or reflector element cladding failure. 

Another completed DMS addressed the reflector and safety rod cladding 
failure due to BeO volumetric bulk expansion from irradiation induced swelling or 
microcracking. End-of-life was defined to correspond with take-up of the gap that 
exists at beginning-of-life between the BeO and the cladding. This is a 
conservative limit in that actual failure would correspond to considerable 
expansion beyond take-up of the gap, producing cladding distortion and, 
ultimately, jamming of the safety rod or reflector. Detailed designs will provide 
gaps that assure the desired lifetime goal are met. 

A third DMS addressed the crack/ship/spalling/wear failure mechanisms of 
the alumina coating used to protect reflector drive assembly tantalum-tungsten 
alloy components within self-aligning bearings. The conclusion was that the 
coating, on the basis of tests performed in the early 1970's in connection with the 
advanced zirconium hydride reactor control system drives, had a reasonable 
margin on lifetime. This result will be reviewed for consistency with the modified 
application of the self-aligning bearing as we change the design from the hinged 
to the sliding reflector concept. 
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The fourth DMS addressed one of several failure mechanisms that could 
lead to self-welding of the safety rod to the molybdenum alloy thimble liner - 
specifically, the liner material fusing to itself in the event of liner material pickup 
onto the hardfaced safety rod slider bearing. Three generic material transport 
processes were identified as applicable to this failure mechanism. 

Sufficient data were available to show that two of these processes had very 
large margins to failure over the mission lifetime; data to close out the third will 
come from experiments planned in the development program. 

Twelve planned DMS’s will address life-limiting failure mechanisms affecting 
coils, insulation and mechanical components. Included are several DMS's which 
explore other failure mechanisms that could lead to self-welding of the safety rod 
to the thimble liner. One of these is self-welding of the actual safety rod slider 
bearing carbide coating to the molybdenum alloy liner of the thimble. Another is 
the loss of the carbide coating in that, should loss of coating occur, the PWC-1 1 
substrate material of the slider bearing would then be exposed to the 
molybdenum alloy, resulting in a couple more prone to self-welding. The causes 
that drive or enable these mechanisms to process have been identified as thermal 
aging, thermal cycling, and radiation. The need to adequately understand these 
failure mechanisms and the respective lifetime margins are the basis for the 
development programs described below. This program is a typical example of the 
ongoing process development and material evaluation resulting from the failure 
mechanism analysis. 

SAFETY ROD MATERIAL SELECTION AND TESTING 

Theoretical considerations and practical experience suggest a refractory 
metal carbide paired with Mo-41 Re alloy is a promising material couple for use in 
the control rod/thimble system. This combination should not self-weld. 
Furthermore, the chemical stability of these carbides and their refractory nature 
make them likely to withstand the reactor core environment. Testing is required 
under prototypic conditions to validate material selections and applications. 
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Table 1. Design Environment 



NOMINAL 
TEMPERATURE, K 

NOMINAL 
PRESSURE, TORR 

Reflector 

1320 

10' 9 

Reflector Drive 

811 

io 9 

Safety Rod 

1600 

10' 9 

Safety Rod Drive 

811 

10' 9 
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Figure 1. Control Drive Assemblies 
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Figure 3. Safety Rod Drive Development 
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